[ CVE-2022-1582 ] Wordpress External Links in New Window Analysis

Description

Vulenerable Version : < 1.43

 

"External Links in New Window" is one of wordpress plugin that let user set URLS which should either be forced to open in a new window or ignored it. 

 

CVE-2022-1482 is a (unauthenticated) Stored XSS vulnerability in external new tab, a plugin in wordpress because it doesn't escape URLs appropriately so it concatenates to onclick event handlers.

 

    function admin_footer()
    {
      if (false === $this->is_plugin_screen()) {
        return;
      }

      $out = '';
      $icons_url = plugin_dir_url($this->plugin_file) . 'wf-flyout/icons/';
      $default_link_item = array('class' => '', 'href' => '#', 'target' => '_blank', 'label' => '', 'icon' => '');

      $out .= '<div id="wff-overlay"></div>';

      $out .= '<div id="wf-flyout">';

      $out .= '<a href="#" id="wff-button">';
      $out .= '<span class="wff-label">Open Quick Links</span>';
      $out .= '<span id="wff-image-wrapper">';
      $out .= '<img src="' . $icons_url . $this->config['icon_image'] . '" alt="Open Quick Links" title="Open Quick Links">';
      $out .= '</span>';
      $out .= '</a>';

      $out .= '<div id="wff-menu">';
      $i = 0;
      foreach (array_reverse($this->config['menu_items']) as $item) {
        $i++;
        $item = array_merge($default_link_item, $item);

        if (!empty($item['icon']) && substr($item['icon'], 0, 9) != 'dashicons') {
          $item['class'] .= ' wff-custom-icon';
          $item['class'] = trim($item['class']);
        }

        $out .= '<a href="' . $item['href'] . '" class="wff-menu-item wff-menu-item-' . $i . ' ' . $item['class'] . '" target="_blank">';
        $out .= '<span class="wff-label visible">' . $item['label'] . '</span>';
        if (substr($item['icon'], 0, 9) == 'dashicons') {
          $out .= '<span class="dashicons ' . $item['icon'] . '"></span>';
        } elseif (!empty($item['icon'])) {
          $out .= '<span class="wff-icon"><img src="' . $icons_url . $item['icon'] . '"></span>';
        }
        $out .= '</a>';
      } // foreach
      $out .= '</div>'; // #wff-menu

      $out .= '</div>'; // #wf-flyout

      echo $out;
    } // admin_footer

You can find above code in filename of '/wf-flyout/wf-flyout.php'. 

 

In "admin_footer()" function after setting up $out variable, the function returns $out variables as it is. If attacker upload malicious XSS script, it can be triggered.

 

PoC

<a href="https://youtube.com/'-alert('Hello world')-'/">This is XSS test</a>

 

 

 

You can see that the plugin patched "admin_footer()" code to escape URLs like this. 

Now, Filtering function specify the allowed css & tag.